中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
hyfceph
Run the HYFCeph cephalometric workflow through the HYFCeph portal with an API key by uploading one or two local lateral ceph images
HYFCeph is a legitimate medical cephalometric analysis skill that uploads user-provided images to a remote API and renders analysis results. All capabilities are properly declared, and the flagged base64 IOCs are standard image data handling—not obfuscation.
技能名称hyfceph
分析耗时48.3s
引擎pi
可以安装
No action required. The skill operates as documented.

安全发现 2 项

严重性 安全发现 位置
低危
Base64 IOCs are legitimate image decoding 文档欺骗
The pre-scan flagged Buffer.from(..., 'base64') at lines 110, 596, 605 of hyfceph-service-client.mjs as potential obfuscation. These are standard base64→binary conversions for PNG/SVG image data received from the server, used to write annotation and contour image files. This is expected behavior for a server-client image workflow with no malicious intent.
await fs.writeFile(filePath, Buffer.from(base64, 'base64'))
→ No action needed. These IOCs are false positives from the static scanner.
 scripts/hyfceph-service-client.mjs:110
低危
Verbose SKILL.md with no security-relevant hidden behavior 文档欺骗
SKILL.md is 189 lines with detailed workflow and reply-style guidelines. While broad, it accurately describes all capabilities including shell execution, filesystem writes, network calls, and API key persistence.
Run the HYFCeph cephalometric workflow through the HYFCeph portal with an API key
→ No action needed. Verbose docs are a style concern, not a security flaw.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ+WRITE READ+WRITE ✓ 一致 SKILL.md declares local image upload and result file persistence; code reads use…
网络访问 READ READ ✓ 一致 All fetch() calls go exclusively to https://hyfceph.52ortho.com/ API endpoint; n…
命令执行 WRITE WRITE ✓ 一致 SKILL.md declares 'node scripts/hyfceph-service-client.mjs' execution; no hidden…
环境变量 NONE READ ✓ 一致 hyfceph-service-client.mjs:292 reads HYFCEPH_API_KEY, HYFCEPH_PORTAL_BASE_URL, H…
3 严重 8 项发现
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(base64, 'base64'
scripts/hyfceph-service-client.mjs:110
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(artifacts.annotatedSvgBase64, 'base64'
scripts/hyfceph-service-client.mjs:596
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(artifacts.contourSvgBase64, 'base64'
scripts/hyfceph-service-client.mjs:605
🔗
中危 外部 URL 外部 URL
https://hyfceph.52ortho.com/
SKILL.md:39
🔗
中危 外部 URL 外部 URL
http://www.w3.org/2000/svg
scripts/hyfceph-report-pdf.mjs:1946
🔗
中危 外部 URL 外部 URL
http://www.d-project.com/
scripts/vendor/qrcode.mjs:7
🔗
中危 外部 URL 外部 URL
http://www.opensource.org/licenses/mit-license.php
scripts/vendor/qrcode.mjs:10
🔗
中危 外部 URL 外部 URL
http://www.denso-wave.com/qrcode/faqpatent-e.html
scripts/vendor/qrcode.mjs:14

目录结构

5 文件 · 173.9 KB · 5314 行
JavaScript 3f · 5121L Markdown 1f · 189L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 3.3 KB
├─ 📁 scripts
│ ├─ 📁 vendor
│ │ └─ 📜 qrcode.mjs JavaScript 2237L · 50.7 KB
│ ├─ 📜 hyfceph-report-pdf.mjs JavaScript 2123L · 85.2 KB
│ └─ 📜 hyfceph-service-client.mjs JavaScript 761L · 25.0 KB
└─ 📝 SKILL.md Markdown 189L · 9.6 KB

依赖分析 1 项

包名版本来源已知漏洞备注
qrcode.mjs unversioned bundled local vendor Open-source QR code library, no external dependencies

安全亮点

✓ All shell execution is declared and uses the documented node script entry point
✓ Network requests are confined to a single, legitimate medical API endpoint (https://hyfceph.52ortho.com/)
✓ API key is stored locally in ~/.codex/state/hyfceph-auth.json with user consent and validation
✓ Base64 usage is exclusively for decoding server-returned image data (PNG/SVG), not for executing encoded payloads
✓ No eval(), no exec() with user input, no curl|bash patterns, no direct IP connections
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ No obfuscation, no steganography, no suspicious HTML comments
✓ No persistence mechanisms beyond legitimate state file storage
✓ PDF generation uses Chrome headless (documented) with graceful fallback
✓ Vendor library qrcode.mjs is a standard open-source QR code generator with no malicious modifications